newbie question nfs4 with kerberos
Kevin Coffman
kwc at citi.umich.edu
Mon Feb 11 11:21:41 EST 2008
On Feb 11, 2008 10:08 AM, Rüdiger Meier <sweet_f_a at gmx.de> wrote:
>
>
> Hi,
>
>
>
> I want to change to nfs4 + kerberos just to have a better authentication of
> client and server machines instead of that poor IP based restrictions.
>
>
>
> So I installed kerberos:
>
> $ kdb5_util create -r XY.COM -s
>
>
>
> $ kadmin.local
>
> kadmin: addprinc -randkey nfs/myclient.xy.com
>
> kadmin: ktadd -e des-cbc-crc:normal -k keytab.client nfs/myclient.xy.com
>
> kadmin: addprinc -randkey nfs/myclient.xy.com
>
> kadmin: ktadd -e des-cbc-crc:normal -k keytab.server nfs/myserver.xy.com
>
>
>
> then copied that keytabs to client and server, and
>
>
>
> /etc/krb5.conf:
>
> [libdefaults]
>
> default_realm = XY.COM
>
>
>
> [realms]
>
> XY.COM = {
>
> kdc = kdc.xy.com
>
> admin_server = kdc.xy.com
>
> }
>
> [domain_realm]
>
> .xy.com = XY.COM
>
> www.xy.com = XY.COM
>
>
>
> /etc/exports:
>
> /exports gss/krb5i(fsid=0,ro,root_squash,sync,no_subtree_check)
>
> /exports/home gss/krb5i(rw,nohide,no_root_squash,sync,no_subtree_check)
>
> /exports/data gss/krb5i(rw,nohide,no_root_squash,sync,no_subtree_check)
>
>
> I can mount /home and /data as I expected but my problem now is that all
> file accesses by any user are "squashed" to nobody/nogroup
That sounds more like idmapd isn't running or configured correctly?
> So I guess that the users would need to get a user ticket from kerberos.
If anyone besides root is accessing things at all, that is already happening?
> Is it possible to avoid that? I just want to authenticate the machines
> against eachother - not the users so far.
Not that I am aware of.
K.C.
More information about the NFSv4
mailing list